(1) Machine Virtualization
Server virtualization has evolved over the past few years from a nascent technology into a mature information technology (IT) feature. By virtualizing their workloads, organizations can control and cut costs while improving the scalability, flexibility, and reach of IT systems.
Machine virtualization is implemented through a hypervisor or virtual machine monitor (VMM). A hypervisor or VMM is a piece of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine or processor, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems (OSs) with a virtual operating platform and manages the execution of the guest operating systems. The hypervisor manages the system's processor, memory, and other resources to allocate what each operating system requires. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows®, and OS X® instances can all run on a single physical x86 machine. This contrasts with operating-system-level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.
(2) Hyper-V Server Virtualization
With advances in server virtualization, however, comes the realization that virtualization by itself does not allow organizations to build or take advantage of cloud services, which are assuming an ever-growing role in the execution of business tasks.
Hyper-V® by Microsoft Corporation, Redmond Wash., codenamed “Viridian” and formerly known as Windows Server Virtualization, is a native hypervisor; it can create virtual machines on x86-64 systems running Windows®. First introduced as part of Windows Server 2008, expanded and enhanced in Windows Server 2008 R2, and enhanced still further with Windows Server 2012, Hyper-V® provides organizations with a tool for optimizing server hardware investments by consolidating multiple server roles as separate virtual machines running on a single physical host machine. A server computer running Hyper-V® can be configured to expose individual virtual machines to one or more networks.
(3) Hyper-V® Architecture
Hyper-V® implements isolation of virtual machines in terms of a partition. A partition is a logical unit of isolation, supported by the hypervisor, in which each guest operating system executes. A hypervisor instance has to have at least one parent partition, running a supported version of Windows Server (2008 and later). The virtualization stack runs in the parent partition and has direct access to the hardware devices. The parent partition then creates the child partitions which host the guest OSs. A parent partition creates child partitions using the hypercall API, which is the application programming interface exposed by Hyper-V®.
A child partition does not have access to the physical host processor or CPU, nor does it handle its real interrupts. Instead, it has a virtual view of the host processor and runs in guest virtual address, which, depending on the configuration of the hypervisor, might not necessarily be the entire virtual address space. Depending on VM configuration, Hyper-V® may expose only a subset of the processor to each partition. The hypervisor handles the interrupts to the processor, and redirects them to the respective partition.
Child partitions also do not have direct access to hardware resources, but instead have a virtual view of the resources, in terms of virtual devices. Any request to the virtual devices is redirected to the devices in the parent partition, which will manage the requests. This entire process is transparent to the guest OS.
(4) Field of the Invention
The invention relates to security arrangements for protecting computers against unauthorized activity, and more particularly to providing agentless virtual firewalls to virtual machines in a virtualized information processing environment.
“Malware,” short for “malicious software,” is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. It is defined by its malicious intent, acting against the requirements of the computer user. It is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software, and is often disguised as, or embedded in, non-malicious files.
As used herein, the term “malware” is intended as broad and comprehensive meaning as possible.
(5) Description of the Related Art
The technical problem of protecting digital computers against malware is inherent in the technical field of network computing. The problem has become more complex now that many systems operate virtualized computing environments in which a single physical host machine supports a number of virtual machines, each effectively functioning as an independent computer. Each virtual machine may run its own operating system, supporting one or more user applications, and may have an associated virtual memory.
There are two basic approaches to protect such virtual machines against malware. In one approach, each virtual machine operates its own “anti-malware” software in the form of an agent operating on that virtual machine. This agent, or anti-malware software, may, for instance, take the form of modules such as, but not limited to, a firewall, a virtual disk scanner, or some combination thereof. In such cases, the anti-malware software may, for instance, examine system, software and data files for signatures of known computer malware. Having each virtual machine operate its own anti-malware agent is, however, expensive in terms of computing resources and can lead to conflicts in scheduling computing resources if multiple virtual machines on a single physical host machine or system request security scans at the same time. As a result, computing operations slow, resulting in inefficiency and sluggishness of the virtual machines. Having agents on the virtual machines also make the system less secure as software components are accessible from the virtual machine and malware may use guest, or client, operation system vulnerabilities to disable security scans and/or security data filtering.
A second approach to protecting virtual machines on a single physical host machine or system from malware is to instead have the anti-malware protection software operate on the machine hosting the virtual machines. This is more efficient in terms of computing resources. This approach, however, presents challenges in terms of effectively tailoring the anti-malware protection software so as to properly protect each virtual machine being hosted. Prior art systems have failed to provide manageable solutions to this problem.
The relevant prior art includes:
U.S. Pat. No. 9,118,711 issued to Oliphant et al. on Aug. 25, 2015 entitled “Anti-vulnerability system, method, and computer program product” wherein a system, method, and computer program product are disclosed for displaying, via at least one user interface, a plurality of techniques of different technique types, including a first technique for setting or modifying a policy for mitigating a first occurrence, and a second technique for dropping packets in connection with at least one networked device for mitigating the first occurrence. Based on user input selecting the first technique for setting or modifying the policy for mitigating the first occurrence, the first technique is automatically applied for setting or modifying the policy for mitigating the first occurrence. Based on the user input selecting the second technique for dropping packets in connection with the at least one networked device for mitigating the first occurrence, the second technique is applied for dropping packets in connection with the at least one networked device for mitigating the first occurrence.
U.S. Pat. No. 7,653,633 issued to Villella et al. on Jan. 26, 2010 entitled “Log collection, structuring and processing” describes a log message processing system in which events can be detected and alarms can be generated. For example, log messages are generated by a variety of network platforms (e.g., Windows® servers, Linux servers, UNIX servers, databases, workstations, etc.). Often, relatively large numbers of logs are generated from these platforms in different formats. A log manager described therein collects such log data using various protocols (e.g., Syslog, SNMP, SMTP, etc.) to determine events. That is, the log manager may communicate with the network platforms using appropriate protocols to collect log messages therefrom. The log manager may then determine events (e.g., unauthorized access, logins, etc.) from the log data and transfer the events to an event manager. The event manager may analyze the events and determine whether alarms should be generated therefrom.
U.S. Patent Application Publication No. 20150193257 by Sonnek et al. dated Jul. 9, 2015 entitled “Virtual Machine Services” describes methods and systems for providing virtual machine services. A number of embodiments can include a user VM with a virtual workstation, a number of service modules that can provide a number of services without communicating with the user VM and/or the virtual workstation, a communication channel that allows the number of service modules to communicate with each other, a computing device, and a manager. A number of embodiments can also include a virtual machine monitor to enforce an isolation policy within the system.
Finally, US Patent Application Publication No. 20080040790 by Jen-Wei Kuo dated Feb. 14, 2008 entitled “Security Protection Apparatus and Method for Endpoint Computing Systems” describes a unified security management system and related apparatus and methods for protecting endpoint computing systems and managing, providing, and obtaining security functions. Various forms of the system, apparatus and methods may be used for improved security, security provisioning, security management, and security infrastructure.
Various implementations are known in the art, but fail to address all of the problems solved by the invention described herein. Various embodiments of this invention are illustrated in the accompanying drawings and will be described in more detail herein below.